Skip to main content

Memberships, Roles, and Namespaces

What are memberships, roles, and namespaces?​

Memberships are the link between group hierarchy, workspaces, users, teams, and other workloads.

Groups and workspaces represent namespace types, which memberships are associated with. Within a group hierarchy, memberships are inherited by nested groups and workspaces.

Each membership is associated with a role (viewer, deployer, owner) that determines the access level and therefore the capabilities of the membership. A viewer, for example, is a read-only role and therefore cannot modify any data within namespaces. A deployer or higher, however, can modify (create, update, delete) groups, workspaces, service accounts, etc.

Have a question?

Check the FAQ to see if there's already an answer.

Membership types and differences​

  • Tharsis offers three types of memberships:

    • User (a human user)
    • Team (a collection of human users)
    • Service Account (M2M)
note

While user and team interconnect to represent human users, a service account, on the other hand, is used for Machine to Machine (M2M) authentication like a CI/CD pipeline interfacing with Tharsis.

Membership breakdown​

Non-visual representation​

  • Each group and workspace has a membership list.
  • A membership list can include users, teams, and service accounts.
  • Only a human user (not a service account, etc.) can be a member of a team.
  • Making a team a member of a group (or workspace) gives all users who are members of that team access.

Visual representation​

Membership and namespace flowchart

note

A group can have one or more subgroups and/or workspaces.

A team can also be assigned a role, making the process of access control more streamlined.

Roles and permissions​

  • Tharsis offers three types of roles out-of-the-box:

    • Viewer
      • Read-only permissions to group or workspace.
      • Can view all workspace data except sensitive data like the state file and variables.
    • Deployer
      • Has all required permissions to configure and deploy modules.
      • Can modify (create/update/delete) groups, workspaces, service accounts, etc.
      • Can execute plan, apply, and teardown operations.
      • Primarily for day-to-day DevOps roles.
    • Owner
      • Group admin permissions.
      • Can manage group memberships and managed identities.
      • Sets group/workspace policies.

  • Custom roles (NOT YET SUPPORTED)

    • Useful when default roles are not sufficient.
    • Provide a mechanism for assigning granular permissions to roles.
    • Can only be created by system admins.

Frequently asked questions (FAQ)​

If multiple memberships are specified for the same subject in a namespace hierarchy, which one takes precedence?​

The first membership found while traversing up the hierarchy will take precedence.

Where can I manage the members for a group or a workspace?​

From the group/workspace details page, select the Members tab on the left sidebar.

Click here for a visual

Screenshot of the Tharsis UI showing members page